There are a few ways to either allow access, or limit access to your aliases.
All aliases are open by default. Anyone can request images using your account token pointing to your existing aliases. This may be fine
in most cases.
Each alias has a referer list. When this list is empty, it means the alias is open for anyone to request images. Once you put an entry into the list, then it turns into a white-list where only the listed domains will have access to successful requests.
A referer is defined by the request header Referer, which will contain the source document/page that is making the request.
The Referer request header contains the address of the page making the request. When following a link, this would be the url of the page containing the link.
When adding a referer to the alias, you would do so like //www.example.com
This allows any page from the www.example.com domain to use the alias. Any other domain that attempts to use your alias will receive an http error of 403 forbidden.
The referer match logic is somewhat simple in the sense that if you enter //www then the alias will allow any requestor that starts with www.
Every alias has a locked toggle which when turned on, will require a key parameter to open it.
If you lock your alias, each request will need to provide a valid key for the request to work. A key is a combination of your token, a secret string, and the transformation parameters for the request. This makes the key work per request variant. If you need the same image on a different size, that will require a different key.
There is a key that will unlock any of your aliases, by using your account secret.
You can generate secrets per alias, so you do not have to hand out the master key, but instead you can hand out keys to a specific alias. You can also revoke these keys at anytime.
Please refer to Key Generation for examples for different languages.
This technique is meant to be used server-side as the secret should not be exposed publicly.
If the key is not valid, a 403 error is returned. If anyone tries to change the operations in the url, like change the width to a different value, then the key will not be valid anymore and the request will fail.